Overriding nonce verification in the login form #1636
Labels
Enhancement
For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc.
Major
Indicates the severity or impact or benefit of an issue is much higher than normal but not critical.
wontfix
If you can reproduce this issue, please reopen the issue or create a new one describing it.
Milestone
To enable direct login to Piwik from my Virtualmin Piwik plugin, I am posting pre-set username-password combinations to Piwik through a frame. Cookies are be preserved (client-side) by pre-loading Piwik in a hidden iframe. However, it gets stuck with nonce validation inside the Login module where the nonce is checked against a form variable.
This works perfectly when nonce verification is bypassed.
I have seen and worked around similar security checks in phpMyAdmin. But there's one noticible difference between Piwik and phpMyAdmin. Unlike Piwik, phpMyAdmin checks for the token in a cookie variable.
Nobody would want nonce check removed including me. However, it would be great if Piwik supports third-party/framed logins without any patches or implementation of just another full-featured login module. Ideally, I am thinking about two possible ways around this:
I would also like draw your attention to the issues users had recently with double requests from browsers/add-ons (see [1236]). Rellocating nonce to a short-lived cookie would most probably make a permanent solution to such future issues as well.
I am asking for this help here because the plugin I am working on is going to be released for public. Hence, I would prefer an official way to authenticate rather than patching or making complex additions to Piwik source.
The text was updated successfully, but these errors were encountered: